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The invention relates to a data exchange system 
comprising at least one portable data processing unit 
comprising data communication means, processing s 
means and memory means, the later comprising an ex- 
ecutive program. 

European patent application EP-A1-0,466,969 dis- 
closes a data exchange system comprising an IC card 
supporting multiple applications and a terminal. The IC 
card comprises a ROM for storing basic functions, e.g. 
crypto algorithms, an application independent common 
data field ("Gemeinschaftsdatenfeld"), and an applica- 
tions data field ("Anwendungsdatenfeld") with a control 
list ("Steuerliste"). Each protocol forms a combination of 
a set of basic functions and possible intermediate con- 
ditions, determined by the control list of the chosen ap- 
plication. 

International patent application WO-A-87/07063 
discloses a system for a portable data carrier having 
multiple application files. One of the most important ap- 
plications of such a portable data carrier is a smart card 
suitable for multiple applications. The known data carri- 
er is described as a carrier of hierarchically structured 
data with security features to support multiple applica- 
tions on the same data carrier. Applications are seen as 
sets of data. The patent application describes an imple- 
mentation of an hierarchical file system on a data carrier 
to store alterable data in combination with an hierarchic 
set of access permissions. The data carrier responds to 
a set of common commands. File access pemnissions 
are distinct for different operations and granted in de- 
pendence on password verification. A password verifi- 
cation attempt counter is introduced as well as the pro- 
vision of destruction of stored data as sanction against 
too many attempts of access. The known data carrier is 
presented primarily as a storage device and not as a 
processor. Only very simple functions may be per- 
formed by the executive program such as binary logic 
operation. It is not possible to allow the performance of 
an unspecified set of operations on request of a terminal 
communicating with the data carrier. The only security 
option is the introduction of password verification. No 
other access condition verifications are possible within 
the known system. Besides, each application of the data 
carrier has its own file within the memory means of the 
data carrier. No special measures are taken to enhance 
the efficiency of the available memory space which, es- 
pecially on smart cards, is very restrictive and therefore 
sets limits to the number of possible applications. 

EP-A-0,479,655 relates to the implementation of 
access condition checks in smart cards. One specifica- 
tion technique for that is disclosed, however. It is desir- 
able to provide for measures to in elude the possibility 
of other access condition verifications. 

EP-A-0,361 ,491 relates to a chip card programming 
system to allow protected (re)programming of cards. It 
describes the use of write-once-access conditions to 



control access of parts of the programmable memory to 
be programmed. In this way the number of applications 
on a single card can be extended. Verification of th ac- 
cess conditions with a variety of techniques including 
cryptographic protocols is described. 

EP-A-0,292,248 relates to loading of applications 
on a smart card using an unalterable operating system 
program. It includes the implementation of a data ac- 
cess condition enforcement method using memory 
zones with assigned access attributes. Specific access 
conditions are "write-once" (which is only described im- 
plicitly) and "execute-only". 

US-A-4,874,935 relates to card programming using 
a data dictionary where the data dictionary describes the 
layout of data elements stored in the card's memory. Da- 
ta dictionaries are commonly understood to differ from 
directories in that they not only describe data actually 
stored, but also data which will be stored later. In addi- 
tion, data dictionaries usually include a description of 
the data format. In compiled format data dictionaries are 
used in database management systems where they are 
stored on the hard disc as part of the database. They 
are also found in the object load files resulting from pro- 
gram compilation in software development environ- 
ments. However, the patent does not claim a represen- 
tation of data dictionaries particularly suited for smart 
cards. 

The main object of the present invention is to 
present means to cope optimally with the restrictions im- 
posed by limited physical dimensions of available mem- 
ory space on portable data processing units, especially 
smart cards. 

A further object of the present invention is to offer a 
more general mechanism of protected loading of pro- 
gram codes and to allow such a loading for multiple pro- 
grams each for one application of each portable data 
processing unit. 

Moreover, the present invention is directed to the 
provision of the use of access condition verifications not 
prescribed by the manufacturer of the portable process- 
ing unit but chosen by the application designer to suit 
his particular needs. 

Therefore the system according to the invention is 
characterized in that the memory means further com- 
prises at least one interaction context containing the fol- 
lowing coherent data structure: 

a. a set of basic communication primitives which are 
accepted whenever the data processing unit com- 
municates with a similar unit, said primitives at least 
including a primitive used to selectively enter one 
of the said interaction contexts; 

b. a set of procedural descriptions defining the ac- 
tions to be performed in response to each of the ac- 
cepted communication primitives, at least compris- 
ing a first procedural description to be performed 
upon activating the interaction context, and a last 
procedural description to be performed immediately 
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before deactivating tlie context; 

c. a, possibly ennpty, set of data elements either per- 
manently stored or computed, which are available 
for use when procedures as defined in the proce- 
dural descriptions are performed; s 

d. a, possibly empty, set of references to data ele- 
ments, which references are associated to the pro- 
cedural descriptions, said data elements are also 
accessible to possibly further interaction contexts 
and are available for use when procedures as de- io 
fined in the procedural descriptions are performed; 

e. a, possibly empty, data list comprising a list of 
references to data elements which are available for 
explicit reference as part of a communication prim- 
itive to be used by the procedural description asso- is 
ciated with the communication primitive; 

t. a set of access conditions associated to the data 
elements which are referenced in association to the 
procedural descriptions; 

g. a set of access conditions associated to the list 
of data references in the data list. 

By defining data within the memory means of the 
portable processing unit in such a way the processing 
unit is really organized as a processor. I.e. it not only 25 
allows logical operations but it performs processes 
which may be loaded in the processing unit by persons 
authorized to do so, e.g. a staff member of a bank. By 
providing procedures which may provide arbitrary com- 
plex operations in response to received commands and 30 
providing an explicit list of stored data elements which 
are addressable as part of such commands the commu- 
nication bandwidth can be optimally used; resulting in a 
reduced number of commands exchanged. With a sys- 
tem according to the invention many actual uses of the 35 
system will but require the exchange of two commands. 
The only thing that is fixed is the structure within the 
memory means which is defined in such a way that sev- 
eral applications of the unit may be added in a very ef- 
ficient way, i.e. by using as little additional memory 40 
space as possible. This is especially of prime impor- 
tance if the unit is a smart card which is severely limited 
as regards available memory space. Besides, the struc- 
ture according to the invention offers all possibilities to 
include security measures in order to inhibit unauthor- 45 
ized people from access to processes or data that they 
are not entitled to use. 

In a first preferred embodiment the data exchange 
system defined above is characterized in that the mem- 
ory means further comprises at least two interaction so 
contexts, at least one application description and a 
memory element storing a reference to the interaction 
context currently being in force, each application de- 
scription comprising: 

55 

a. a data list comprising references to data ele- 
ments, which references may be accessible to two 
or more interaction contexts and may be extended 



by additional data elements; 
b. a further set of access conditions associated to 
said references or to said additional data elements 
and defining restrictions of use. 

By these measures all references to data elements 
which are common to different interaction contexts are 
accessible for all those interaction contexts, so they only 
need be stored once saving memory space. Also com- 
mon access conditions to said data references are ac- 
cessible to predetermined interaction contexts. There- 
fore, also these common access conditions need only 
be stored once thereby saving memory space and en- 
hancing efficiency. 

Each application description may also comprise a 
procedure library comprising units of executable code 
which can be used by procedural descriptions of each 
interaction context associated to each of said applica- 
tion descriptions. 

Preferably, the processing unit is suitable for at least 
two applications with use of little additional memory 
space. To obtain this object the data exchange system 
according to the invention is characterized in that the 
memory means comprises at least two application de- 
scriptions and units of executable code which can be 
used by procedural descriptions of each interaction con- 
text within each application description or by each unit 
of executable code of each procedure library within each 
application description. 

Preferably, the units of executable code in the pro- 
cedure library are enhanced by including a specification 
of the use of their operational parameters into classes 
relating to attributes pertaining to data elements which 
can be passed as actual value in a computation, which 
computation only proceeds if the data attributes and pa- 
rameter classes match. This is an efficient way of veri- 
fication of access conditions both on data level and on 
function level for which a very efficient implementation 
exists. 

More reliability of the system is offered if the data 
exchange system according to the invention is charac- 
terized in that the executive program comprises a refer- 
ence to a default interaction context which is used to 
initialise the memory element storing a reference to the 
interaction context currently being in force, in order to 
carry out a final action after a detection of an intemal 
inconsistency in a recovery to a normal state of opera- 
tion or whenever the executive program is active and no 
explicit interaction context has been specified by a com- 
munication primitive received from an opposite data 
processing unit. 

In order to enhance the security of data and func- 
tions within the processing unit the data exchange sys- 
tem according to the invention may be characterized in 
that the memory means comprises an interaction con- 
text dedicated to comprise Personal Identification Num- 
bers and that the executive program is arranged to verify 
Personal Identification Numbers supplied by a user of 
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the data exchange system. 

Advantageously the Personal Identification 
Number management interaction context and the de- 
fault context can be Implemented as part of. the same 
device holder application. Support of this application by 
most devices with which a device according to the in- 
vention communicates would give the device owner the 
opportunity to review his personal data as stored in the 
device memory, for instance a smart card holder could 
be allowed to modify his PIN at any smart card terminal 
which provides an appropriate user interface. 

Each application description may comprise a list of 
numeric values which is constructed to provide identifi- 
ers for all interaction contexts and comprises at least a 
first numeric value indicating an application type, a sec- 
ond numeric value indicating a unique identification of 
the entity providing the application, a third numeric value 
indicating the nature of the application description and 
further numbers each uniquely referring to one interac- 
tion context associated with the application description. 

The string of numeric values uniquely referring to 
an interaction context provides a means of establishing 
interoperability between two communicating devices 
which is more efficient than is currently envisaged for e. 
g. smart cards in relegating to the application providing 
entity the responsibility to assign unique values to each 
interaction context while leaving assignment of unique 
numbers to entities and application to relevant bodies 
of sectoral and international co-operation respectively. 
With benefit the application providing entity can assign 
the unique context numbers to incorporate Implementa- 
tion version and secret key generation information. 

The data communication means may be arranged 
to structure data exchange in blocks of data comprising 
at least two parts, a first part being data qualified as op- 
erational in that it is used to Influence the nature of the 
operations performed by a command as indicated by a 
communication primitive or to influence the nature of da- 
ta resulting from operations carried out, a second part 
being qualified as security in that it is used to determine 
the appropriateness of performing an operation or of the 
acceptability of data within the operational part, to be 
used in the operation or to prove completion of the op- 
eration or correctness of the resulting data. 

Such appropriateness, acceptability, proof and cor- 
rectness being obtained by performing relevant crypto- 
graphic operations on the data. Authentication and data 
protection are thus made an integral part of the com- 
mand execution providing better security than obtaina- 
ble in current systems e.g. smart cards. 

The executive program may be arranged to per- 
form, upon accepting a communication primitive to per- 
form operations specified in the current interaction con- 
text, each operation as part of a predetemnined and fixed 
sequence of actions each of which is specified sepa- 
rately as part of a procedural description associated to 
the accepted communication primitive, which actions 
comprise at least the following actions: 



a. authorization of the use of the communication 
primitive; 

b. decryption of operational data or any part of it; 

c. performing a command with any Input data; 

5 d. encryption of any operational data resulting from 
any operation performed; 

e. computation of a proof of completion of any per- 
formed action or of correctness of the resulting data 
to be used in security computations. 

10 

Security Is further enhanced if the data processing 
unit generates a random transaction number upon ini- 
tializing data transfer, which senses as basis for crypto- 
graphic computations. 

IS To provide for a possibility to enter a new interactidn 
context if required one communication primitive may be 
assigned a specified value which will always be Inter- 
preted as a request to enter a new interaction context. 
In a further preferred embodiment the data ex- 

20 change system according to the Invention is character- 
ized in that it comprises a further data processing unit 
comprising the same elements as the data processing 
unit as well as an application programmers interface 
which consists of program code designed to allow addi- 

25 tional computer programs to be Implemented to give us- 
ers control over the sequence of exchanged communi- 
cation primitives or to influence the data transferred in 
them or to learn or further process the data received in 
the exchange. Development of software for systems ac- 

30 cording to the invention will benefit from the availability 
of an application programmers interface. 

In such a preferred embodiment of the invention the 
primitive used to enter a specified Interaction context 
may comprise numeric values to be used in security cal- 

35 culations in subsequent communications, a first value 
generated at random by one of the processing units and 
a second value serving to identify said one processing 
unit. 

To further benefit from the current Invention, each 
40 communication primitive may further be structured to 
consist of two or more numeric values which enhance 
the expressive power of the communication primitive for 
interpretation by the executive program. 

As a first alternative, each communication primitive 
45 may be composed of two or more numeric values, a first 
value being used to refer to a procedural description of 
an action associated to the communication primitive, a 
second value being composed of a fixed number of bi- 
nary values each of which is interpreted by the executive 
50 program as a reference to a single data element. 

As a second alternative, each communication prim- 
itive may be composed of two or more numeric values, 
a first value being used to refer to a procedural descrip- 
tion of an action associated to the communication prim- 
es itive, a second value being used to determine which of 
the data elements available for external reference in an 
active interaction context will be used while performing 
responding actions in such a way that any data element 
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is selected if it contains a value that matches said sec- 
ond value. 

As a third alternative, each comnnunicatlon primitive 
is composed of two or more numeric values, a first value 
being used to refer to a procedural description of an ac- s 
tion associated to the communication primitive, a sec- 
ond value being composed of a number of binary values 
which are assigned specific meanings by the executive 
program to be used in interpreting data formats in the 
communication primitive and in performing responding 
actions. 

The context mechanism defined above and the 
techniques it makes available leads to a wider range of 
smart card use and an approach of smart card applica- 
tion development which have a number of advantages 
over the traditional ways. 

First of all, it allows the execution of application spe- 
cific program code in a smart card without the need to 
thoroughly examine the code for potential threats to the 
security of data stored for other applications. As the ac- 
cess conditions which are stored with the data on the 
card are enforced by the card operating system without 
possibility of outside interference during execution of 
application code, a multi application card scheme does 
not need a program code vetting authority Such author- 
ity is the only way to allow a private code execution fa- 
cility in traditional smart cards. By approving code for 
execution on a card a vetting authority incurs liabilities 
with respect to the overall system security; it makes the 
management of multi application smart card schemes 
much more complex. The associated complexity and 
costs make application specific code in traditional card 
schemes almost inf easible. With the new technique the 
dennand for this facility from smart card application pro- 
viders which has been there for some time can be met. 

Secondly, as direct consequence of protected ap- 
plication of specific programs in cards, a specific appli- 
cation can be implemented that is dedicated to load oth- 
er applications in the card. In this way the applications 
once loaded in a card can be protected from the very 
application that loaded them. This protection gives par- 
ties involved in a multi application card scheme espe- 
cially the card issuing entity and the application provid- 
ing entities a basis for their business agreement. Being 
based on tangible things as the amount of storage need- 
ed on each card, the number of cards to be equipped 
and the duration of the application on the card instead 
of an abstract notion of "trust" and "good care" the ap- 
plication providers contract is easier to formulate than 
in traditionally implemented smart cards. Moreover, the 
card issuer and application provider do not need to 
share secret keys and protect this sharing with contrac- 
tual obligations and mutually agreed key transportation 
facilities. 

Thirdly, the application software if implemented 
based on the new technique has several benefits com- 
pared with prior art smart card operating systems: 



* A minimal exchange of data between a terminal and 
a card is needed to establish interoperability be- 
tween card and terminal, e.g. they support the same 
application(s). Values of data to be exchanged to 
this end can be structured as proposed in the draft 
international standard ISO 7816-5; 

* To complete a transaction between card and termi- 
nal the minimal number of data exchanges as the- 
oretically inferred can actually be used, because the 
transaction is completed as a private computation, 
instead of the necessity to use a lengthy sequence 
of standard commands; 

* It allows controlled access to data without requiring 
an involved access path dictated by a directory and 
file hierarchy shared by all applications as currently 
in use and proposed for standardisation; 

* It allows the development of the terminal and smart 
card application in tandem, which development 
process can be supported with computer software 
tools such as compilers and emulators. Design and 
implementation of card and temninal software can 
thus be lifted above the tedious and error prone as- 
sembly language coding currently required; 

* It allows standardization of equipment, both cards 
and terminals, using an abstract formalism to de- 
scribe the device capabilities which gives flexibility 
towards future developments, such as newfeatures 
offered by card or terminal manufacturers. The 
standardized terminal capability could include an 
API. In contrast current standardization efforts in 
smart cards concentrates on prescribing fixed data 
contents of messages to provide identification val- 
ues to be interpreted in a way as determined by the 
standard, which leaves little room for new develop- 
ments. 

Finally, with the new technique implementors of 
smart card operating systems are given great freedom 
of designing optimal implementations of the card's op- 
erating system kernel and terminal operating system. 
Smart card hardware designers are given several op- 
tions to optimize chip silicon use with hardware support 
for basic operation included in the system kernel. Hard- 
ware cost reduction obtained starting with the special- 
ized design defined above can be greater than when 
based on improvements on general purpose single chip 
computers. 

The invention will now be described in detail with 
reference to some drawings which show an example of 
the implementation of the general principles of the 
present invention. 

Figure 1 shows a prior art application design on 
smart cards based on an hierarchically organized 
collection of data elements; 
figure 2 presents a diagram of the communication 
flow between a portable processing unit and a sim- 
ilar structured processing unit in a format currently 
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accepted as standard; 

figure 3 presents a basic implementation of the 
present invention using the concept of interaction 
contexts in portable processing units, such as smart 
cards, and card terminals; 5 
figure 4 presents an example of a practical organi- 
zation of an execution context, highlighting different 
relationships between procedural descriptions con- 
tained in the interaction context and data elements 
and library functions used while performing the pro- 
cedures; 

figure 5 shows an example of a flow diagram of pro- 
gram execution control and security context switch- 
es involved in performing the procedural description 
invoked by a communication primitive. 

The structure of data and files in prior art systems 
is depicted in figure 1 . Basically there is a master file 1 
which is connected to several elementary files 3 and one 
or more dedicated files 2. Each dedicated file 2 may be 
connected to one or more further dedicated files 2 and 
to one or more elementary files 3. The prior art uses a 
tree-like hierarchy of directories and files. The number 
of subordinate levels in the prior art structure is in prin- 
ciple unlimited. The terminology used in figure 1 is taken 
from the international proposed ISO standard 7816-4. 
According to the standard format for communication 
flow between a portable data processing unit 5 and a 
similar structured data processing unit 4, as shown In 
figure 2, the communication comprises a set of pairs of 
blocks. The communication starts with a reset signal mcj) 
from the data processing unit 4. Such a reset signal may 
be outside the communication bandwidth such as gen- 
erated by power-on-logic in data processing unit 5. The 
portable data processing units responds with an answer 
to reset (ATR) signal m1 possibly followed by contents. 
All subsequent pairs of blocks m2, m3, .... m(n-1), mn 
consist of blocks headed by a communication primitive 
(e.g. a command) followed by contents. 

Figure 3 shows the internal structure of two data 
processing units according to the invention which are 
communicating with each other by transmitting and re- 
ceiving data. The left data processing unit 4 may be, 
among others, a terminal and the right data processing 
unit may be, among others, a portable data processing 
unit, e.g. a smart card. However, the invention is also 
applicable to two portable data processing units able to 
communicate with each other by appropriate communi- 
cation means. 

Each of the data processing units 4, 5 comprises 
data communication means 7, 14 through which struc- 
tured blocks of data can be exchanged. Each of the data 
processing units 4, 5 comprises proc ssing means 8, 
15, and memory means 9, 16. The memory means 9, 
16 could be any configuration of read-only memory 
(ROM), random access memory (RAM) and program- 
mable read-only memory such as electrically erasable 
programmable read-only memory (EEPROM). 



The memory means 9, 16 comprises an executive 
program 12. 17, here indicated by "MAXOS". If the port- 
able data processing unit 5 is suitable for two or more 
applications the memory means 9, 16 comprises two or 
more application descriptions 13(1) ... 13(n). 18(1) ... 18 
(n). There are as many application descriptions as there 
are applications of the data processing unit concerned. 
Each application description is indicated by "CSA". The 
second application description 13(2), 18(2) has been 
shown on an enlarged scale in figure 3 to allow display 
of the contents of each application description. Each ap- 
plication description 13(1). 18(i) comprises at least one 
"interaction context" 11(1)... 11(m). 19(1)... 19(m). 
Each interaction context is indicated by "CTA". The first 
of these interaction contexts 11(1), 19(1) has been 
shown on an enlarged scale to allow display of their con- 
tents. Each interaction context contains: 

a set of commands specifying the communication 
primitives recognized by the interaction context and 
referencing appropriate procedures specified in a 
set of procedures; 
a set of data; 

a set of data references to date residing in other in- 
teraction contexts if any; 

a set of procedures that may be pertomned by the 
executive program 12, 17; 
a set of access conditions to the data elements; 
a set of external references referring to data ele- 
ments to be used in commands issued by the other 
data processing unit; 
optionally, developer specified other lists. 

Finally, the memory means 9, 1 6 comprises a mem- 
ory element 21 , 20 that contains a reference to the "cur- 
rent CTA", i.e. the interaction context currently in force. 

The intention of several interaction contexts within 
one application description is to provide a functional 
separation in possible interactions between the data 
processing units 4, 5. This is especially relevant when 
the functional separation is also a separation in security 
conditions. An example may be a first interaction be- 
tween a smart card and a tenninal to open, for instance, 
a door and a second interaction when programming 
doors that are allowed to be opened. The second inter- 
action needs a better security than the first interaction 
and is assigned its own interaction context. To obtain 
access to the interaction context is the first step in as- 
suring the security of the operations that may be exe- 
cuted within the interaction context. 

Figure 4 shows a practical approach to implemen- 
tation of the context mechanism displayed as a memory 
organization model which shows the relations between 
data elements, access conditions and procedures. The 
structure of figure 4 applies whenever there are two or 
more applications of the portable data processing unit 
5, If there is only one application the structure is strongly 
simplified, as will be explained later. In figure 4 the ref- 
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erence numbers of the data processing unit 5 are de- 
picted. However, the structure of figure 4 is likewise ap- 
plicable to the memory means 9 of the data processing 
unit 4. In figure 4 data element descriptions and proce- 
dure descriptions are optimally organized to reflect shar- s 
ing of program code and sharing of data between differ- 
ent interaction contexts (CTA's) which make up one ap- 
plication (CSA). 

The memory means 16 comprise data elements H 
(1)... H(7), executable code elements G(1)... G(5) io 
which are part of the operating system, and application 
descriptions 1 8(1 ), 1 8(2) (CSA1 , CSA2). In figure 4, da- 
ta and code which are internal to the operating system 
are left out. The number of data elements, executable 
code elements and application descriptions as present- is 
ed in figure 4 is only given by way of example: the num- 
bers may vary as required In reality. 

Each application description 18(1), 18(2) is physi- 
cally present in the memory means. They provide a first 
bottom layer of abstraction to reflect memory use. Each 
application description 18(1), 18(2) consists of: 

a procedure library consisting of units of executable 
code F(1 ) ... F(4) that may refer to units of execut- 
able code of the operating system made available 25 
for this purpose, as indicated by arrows p(1) ... p(5); 
a list of data elements E(1) ... E(7) to be used by 
procedures within the interaction contexts 19(1) ... 
19(2) within the present application description 18. 
This data list comprises data access conditions and 30 
pointers q(1) ... q(7) to storage areas holding data 
elements; 

an interaction context list comprising a number of 
interaction context descriptions 19(1), 19(2). 

35 

The number of elements within the procedure li- 
brary, the list of data elements and the interaction con- 
text list within the application description 18(1) as shown 
in figure 4 is for presentation purposes only. Of course, 
the number of elements may vary depending on the de- 40 
sired application. 

Interaction contexts 19(1), 19(2) are physically 
present in the memory means storing the application de- 
scription 18(1). Logically, the interaction contexts pro- 
vide a second layer of memory use control. The com- ^5 
bined control provided by this second layer and the ap- 
plication description layer gives an effective implemen- 
tation of an execution context mechanism for portable 
data processing units, such as smart cards. Each inter- 
action context 1 9(1 ), 1 9(2) comprises: so 

a list of procedural descriptions C(1 ) ... C(5). These 
procedure descriptions may refer to procedural de- 
scriptions in the procedure library within the appli- 
cation description 18 as indicated by example ar- 55 
rows s(1), s(2). Alternatively these procedural de- 
scriptions may refer to executable code elements G 
(1) ... G(5) provided by the operating system, as in- 



dicated by example arrow t(1 ). As a further alterna- 
tive these procedural descriptions may contain ex- 
plicit references to any data elements which are 
used by the procedure during execution and which 
are present in the data list of the application descrip- 
tion 18 concerned, as indicated by arrows r(1) ... r 
(6): 

a data list containing data elements B(1 ) ... B(5) ex- 
clusively available for use by the procedures in the 
interaction context concerned. Data elements are 
represented as references to the data list of the ap- 
plication description 18 concerned with associated 
access conditions to adhere to when accessing the 
actual data, as Indicated by arrows u(1) ... u(5); 
an external interface list comprising communication 
primitives A(1) ... A(4) which are accepted as com- 
mands by the interaction contexts 19(1), 19(2) con- 
cemed. Each command within a communication 
primitive refers to a member of the procedural de- 
scriptions C(1) ... C(5) of the procedure list within 
the interaction context concerned, as indicated by 
arrows v(1 ) ... v(4). The commands when issued by 
the communicating device 4, may refer to elements 
in the data list of the application description by one 
or more addresses following the command. Each 
command may be accompanied by data elements 
as input to the command processing. The number 
of addresses as given here Is by example only and 
is determined for each command as required in re- 
ality. 

Protection of data elements is provided for by the 
provision of access conditions. Any external command 
within a communication primitive A(1) ... A(4) can only 
address data elements referenced in the data list of the 
Interaction context 19 concerned. Access Is only al- 
lowed if the access conditions are met. These access 
conditions specify the type of access that is allowed for 
the command; such an access condition may be no ac- 
cess, read-only access, read-and-write access, and se- 
cret key use. Other access conditions may be applied 
too. For example, the command of communication prim- 
itive A(1 ) may have read-only access to data element B 
(2) through reference arrow w(2), while the command of 
communication primitive A(2) has read-and-write ac- 
cess to the same data element B(2) through reference 
arrow w(3). 

Procedural descriptions C(1) ... C(5) can refer to 
data elements in the data list of the application descrip- 
tion 18 concerned and no others. Again, access is only 
provided if the access condition is met. These access 
conditions also specify the type of access that is al- 
lowed: for instance, no access, read-only access, read- 
and-write access, and secret key use. Access condi- 
tions for different procedural descriptions within the 
same interaction context 1 9 may differ for the same ap- 
plication description data list element E(1) ... E(7), e.g. 
reference arrow r(1) may represent a read-only access 
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condition, whereas reference arrow r(2) may represent 
a read-and-write access condition. 

Access conditions are cfnecked on the relevant lev- 
el, i.e. application description level or interaction context 
level and only once. An element B(1 ) ... B(5) of the data s 
list within an Interaction context 19(1), 19(2) refers di- 
rectly by arrow u(1) ... u(5) to the pointer of a data ele- 
ment in the data list of the application description 1 8(1 ) 
because the access conditions are already met in the 
data list element E(1) ... E(7) of the application descrip- io 
tion 18(1). Procedural descriptions C(1)... C(5) within 
an interaction context 19(1), 19(2) which refer to data 
list elements within application description 18(1), how- 
ever, have to first meet the access condition associated 
with the data list elements E(1) ... E(7) within the appli- is 
cation description 18(1). Any data elements or proce- 
dural description elements within the data lists of the ap- 
plication description 1 8(1 ) and its associated interaction 
contexts 19(1), 19(2) cannot be referred to by any other 
application description within the memory means 16. 
The executable code which constitutes the procedural 
description can only address data by indirection via the 
restricted set of data references associated with each 
of the procedural descriptions C(1) ... C(5). Using data 
elements described by 8(1 ) ... B(5) the list of references 
is temporarily extended by the executive program with 
references to data element as obtained by evaluating 
addresses which are actually specified in the communi- 
cation message accepted as the command associated 
with the procedural description. Thus no other data can 
be accessed than explicitly specified, and only observ- 
ing specified conditions of use. In other words, the pre- 
ferred memory reference model of figure 4 as regards 
the application description with its associated interac- 
tion contexts provides an exclusive context for opera- 
tions within one single application of the data processing 
unit 5. Data elements H(1)... H(7) are stored in the 
memory means 16 common to all applications but con- 
tain data for exclusive use within the context of applica- 
tion description 18(1). such exclusivity is guaranteed by 
the executive program in allowing existance of a single 
pointer to each storage location such as q(1) from E(1) 
to H(2). Only the code elements G{1) ... G(5) may be 
referredtobyanyof the application descriptions 18(1) ... 
stored within the memory means 16. These last refer- 
ences of other application description than application 
description 18(1) to the common codes G(1) ... G(5)are 
not explicitly indicated in figure 4. However, any person 
skilled in the art can easily extend the structure of figure 
4 to two or more application descriptions 18(1), 18 
(2) 

After having explained how data elements may be 
protected by the use of access conditions of different 
kinds, now, memory management provisions will be ex- 
plained. For memory management, it is desirable that 
alterable data (data elements) and not alterable data 
(operating system code) can be managed by the oper- 
ating system separately The memory reference model 



as shown in figure 4 provides a separation of code and 
data elements within the memory means 16 which are 
referred to by pointers q(1 ) ... q(7), p(1 ) ... p(5) from the 
data list and the procedure library, respectively, within 
the application description 18 concerned. Data list ele- 
ments within each interaction context 19(1), 19(2) only 
contain references to these pointers and no direct ref- 
erences to the codes G(1) ... G(5), and the data ele- 
ments H(1) ... H(7) within the memory means 16. The 
data list of the application description 1 8 concerned pro- 
vides the level of indirection required by the operating 
system to perform memory management. 

Code duplication is avoided by providing common 
code libraries on two levels: "command bodies" like pro- 
cedural description C(3) which refer to code element F 
(2) in the procedure library in application description 18 
(1 ) in order to share common codes among different in- 
teraction contexts. However, the body of procedural de- 
scription C(3) also refers directly to a code G(3) stored 
in the memory means 1 6 and provided by the operating 
system. All units of executable code G(1) ... G(5) pro- 
vided by the operating system are Implemented for ef- 
ficient execution. 

Fundamentally, the memory structure according to 
figure 4 is also applicable in situations where only one 
application of the data processing unit 5 is provided for. 
In that case the only application description 18(1) may 
even coincide with one interaction context 19(1), which 
interaction context then contains at least the following 
coherent data structure; 

a. a set of basic communication primitives A(1) ... 
which are accepted whenever the data processing 
unit 5 communicates with a similar unit 4, said prim- 
itives at least including a primitive used to selective- 
ly enter one of the said at least one interaction con- 
texts; 

b. a set of procedural descriptions C(1 ) ... defining 
the actions to be performed in response to each of 
the accepted communication primitives A(1) at 
least comprising a first procedural description to be 
performed upon activating the interaction context, 
and a last procedural description to be performed 
immediately before deactivating the context; 

c. a, possibly empty, set of data elements H(1) ... 
either permanently stored or computed, which are 
available for use when procedures as defined in the 
procedural descriptions C(1) ... are performed; 

d. a, possibly empty, set of references to data ele- 
ments, which references are associated to the pro- 
cedural descriptions C(1) said data elements are 
also accessible to possibly further interaction con- 
texts and are available for use when procedures as 
defined in the procedural descriptions C(1) ... are 
performed; 

e. a, possibly empty, data list comprising a list of 
references to data elements which are available for 
explicit refer nee as part of a communication prim- 
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itive to be used by the procedural description asso- 
ciated with the communication primitive; 

f . a set of access conditions associated to the data 
elements which are referenced In association to the 
procedural descriptions; 5 

g. a set of access conditions associated to the list 
of data references B(1) ... in the data list. 

If there is only one application provided for the data 
processing unit 5 and there are at least two interaction 
contexts 19(1), 19(2) each application description com- 
prises: 

a. a data list comprising references E(1 ) ... to data 
elements, which references may be accessible to 
two or more interaction contexts 19(1) ... and may 
be extended by additional data elements; 

b. a further set of access conditions associated to 
said references E(1 ) ... or to said additional data el- 
ements and defining restrictions of use. 

The set of procedural descriptions in each of the two 
or more interaction context descriptions also contains 
an additional last procedural description to be per- 
formed immediately before deactivating the context. 

Figure 5 represents the flow of control in the exec- 
utive program defined above by "MAXOS" (12,17). 

After powering the system the software starts with 
processing a reset code in step 30. In step 31 the kernel 
operations security level of the data processing unit is 
entered. The access conditions describing this level are 
stored in an unmodifiable part of memory, e.g. ROM or 
hardware logic. In step 32 the non-volatile memory is 
checked for consistency and any modifications which 
might have been left unfinished by sudden power down, 
e.g. by extraction of a smart card, are cancelled. Non- 
volatile memory consistency check only involves exam- 
ining state information stored in memory and computing 
check sums. The content of memory, if accessed at all, 
is only used to compute check sums. Thus, the consist- 
ency check is a safe operation. The exact nature of the 
consistency check facilities depends on details of hard- 
ware within the data processing unit and non-volatile 
memory modification routines which are to a wide extent 
irrelevant to the specified security architecture. After the 
general memory consistency check the pre<omputed 
levels of the security context stored in the memory are 
verified. Finally, the random access memory of the data 
processing unit is initiated. 

In step 33, if the executing environment is thus de- 
clared safe, the secure application security level of the 
data processing unit is entered, in this level any access 
to memory pertaining the kernel operations is blocked. 
Access to application data and description from this lev- 
el is exclusively provided through routines in the kernel 
which maintain state information on ongoing memory 
operations. 

Upon first entry after reset, in step 34 application 



data element descriptors are used to check consistency 
of stored data with the descriptor and memory is 
changed if in a state inconsistent with the attribute as 
described. An answer to reset (ATR) message is com- 
posed from application identifiers stored in the applica- 
tion descriptors and completed with a transaction 
number computed to be unpredictable by the receiving 
other data processing unit 4. Internal to the data 
processing unit a terminal command is generated to ac- 
tivate a default interaction context. Directly after the ATR 
message is sent to the other data processing unit 4 this 
internal context activation command is executed to pro- 
vide an interaction context for subsequent commands. 
The ATR message clearly indicates the readiness of the 
data processing unit 5 to accept further commands. The 
default interaction context can be designed as part of a 
"smart card holder application" which is present as one 
standard application In all multi-application smart cards. 
In this specific application context the user, i.e. the smart 
card holder, can review his personal data or open any 
of the other applications on the card. 

In step 35. as result of the context activation com- 
mand, the interaction context (CTA) security level is en- 
tered for the standard smart card holder CTA. 

After an application has been activated completely 
it is ready to receive commands from the other data 
processing unit 4. Further processing depends on the 
command received: a command to activate an applica- 
tion Is handled different than a command which is to be 
executed. Therefore, in step 38, after having estab- 
lished that a communication primitive is received in step 
36 and is established to be acceptable in step 37, it is 
tested whether a new application has to be activated. If 
not, step 39 is entered in which the command is checked 
to determine whether it is allowed and the input data can 
be accepted. These checks are performed for a com- 
mand only if specified in the application descriptor Also 
a decryption of input data may be carried out in step 39. 

If the test succeeds the "data access protection lev- 
el" Is entered, step 40. On this level, the highest security 
level, routines may be executed which are coded by ap- 
plication providers, step 41 . Such routines are stored in 
the application descriptor and function as an application 
specific reaction to a specific command issued by the 
other data processing unit 4. This security level con- 
strains memory access to a subset specifically defined 
for the command being executed. 

After carrying out the command with the submitted 
input data in step 41 , the data access protection level is 
left, step 42. 

Output data and (cryptographic) proof of command 
completion is generated in step 43. After step 43 the pro- 
gram waits for new communication primitives, step 36. 

If no special command routine is defined and the 
command can be executed by procedures consisting 
solely of operating system functions the data access 
protection level (step 40) Is not entered, and the com- 
mand will b performed on the Interaction context secu- 
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rity level directly as the operating system routines are 
designed not to violate any data protection. 

If, in step 38, it is established that no new application 
is to be activated the program proceeds with step 44 In 
which a context de-activation procedure is performed, s 
In step 45 the current application specific security level 
is left and. In step 46, within the security level of the ex- 
ecutive program "MAXOS" the data accompanying the 
command are checked. 

If the command is allowed by proper authentication 
as specified for the requested application a new appli- 
cation specific CTA security level is entered, step 47. 
This level restricts access to data pertaining to the newly 
opened application. 

The data processing unit 5 produces data in re- 
sponse to a context activation command by executing 
an initialization instruction as defined in the procedure 
list, step 48. If such an application provider coded rou- 
tine is present the data access protection level is en- 
tered in step 49. The context activation procedure is per- 
formed In step 50. In step 51 the data access protection 
level is left and the response is communicated to the 
other data processing unit 4 and the data processing 
unit 4 itself is ready to receive a new command after 
step 43, specified above. 

After having described the figures 1 to 5. now some 
general remarks to the data exchange system according 
to the invention are made. 

The codes in the procedure library within each ap- 
plication description 18(1). 18(2) may be enhanced by 
including a specification of the use of their operational 
parameters into classes relating to attributes pertaining 
to data elements which can be passed as actual value 
in a computation, which computation only proceeds if 
the data attributes. and parameter classes match. This 
provides one way to verify access conditions both to da- 
ta elements and to functions. Comparing properly en- 
coded bit maps of data attributes and parameter classes 
respectively may provide an efficient implementation for 
this additional technique. 

The executive program 12, 17 may comprise a ref- 
erence to an Interaction context which is used to Initial- 
ize the current interaction context in the memory ele- 
ment 20 storing a reference to the Interaction context 
currently being in force. By this measure it is possible to 
carry out a final action after a detection of an internal 
inconsistency In a recovery to a normal state of opera- 
tion or whenever the executive program 12, 17 Is active 
and no explicit interaction context has been specified by 
a communication primitive received from the other data 
processing unit 5. This default interaction context may 
well be one such context contained in the cardholder 
application as described above. 

Additionally, the memory means 9, 16 may com- 
prise an interaction context 11,19 dedicated to comprise 
personal identification numbers (PIN's) and the execu- 
tive program 12, 17 is arranged to verify personal iden- 
tification numbers supplied by a user of the data ex- 



change system. Several such personal identification 
numbers, passwords, may be used. One such password 
may be used to protect use of the device In transactions 
where privacy sensitive data can be revealed. A second 
password may be used to protect transactions where 
data representing a value payable by the password 
holder is communicated. A third password may be used 
to protect transactions where operations are performed 
deemed critical to the security of the application such as 
modes of protection being called upon as specified with- 
in each of the interaction contexts 11,19 that may re- 
quire it. Further passwords may be provided for This 
PIN management interaction context may well be one 
such context contained in the card-holder application as 
described above. 

Each application description 13, 18 may comprise 
a list of numeric values which Is constructed to provide 
identifiers for all interaction contexts 11, 19 and each 
application description 13, 18 may comprise at least a 
first numeric value indicating an application type, a sec- 
ond numeric value indicating a unique identification of 
the entity providing the application, a third numeric value 
indicating the nature of the application description 13, 
18 and further numbers each uniquely referring to one 
interaction context 11,19. The first two numbers may be 
assigned according to rules well established in the 
trade, whereas the remaining numbers may be chosen 
by the application providing entity as deemed appropri- 
ate. Especially it may assign numeric values to distin- 
guish between different version of the implementation 
or to identify the generation of the set of cryptographic 
keys employed by the application in its cryptographic 
computations. Additionally, the device may Include In 
the answer to reset message a list for each of the inter- 
action contexts 11,19 contained in its memory means 
an identification number composed of the unique iden- 
tification values stored with the interaction context. The 
first element in the list of interaction context identifica- 
tion numbers may be an identification for the default 
context. 

The data communication means 7, 14 are prefera- 
bly arranged to structure data exchange in blocks of da- 
ta. These blocks of data comprise at least two parts, a 
first part being data qualified as operational In that it is 
used to influence the nature of the operations performed 
by a command as indicated by a communication primi- 
tive or data resulting from operations carried out. A sec- 
ond part will be qualified as security in that it is used to 
determine that appropriateness of performing an oper- 
ation or of the acceptability of data within the operational 
part to be used in the operation or to prove completion 
of the operation or correctness of the revealed data. 

When the data is structured in this way the execu- 
tive program 17 may be arranged to perform, upon ac- 
cepting a communication primitive to perform opera- 
tions specified in the current interaction context 20, 21 , 
each operation as part of a predetermined and fixed se- 
quence of actions, each of which Is specified separately 



IS 



20 



25 



30 



35 



40 



45 



SO 



19 



EP 0 666 550 B1 



20 



as part of a procedure description rule associated to the 
accepted communication primitive. A first action may be 
specified as a function to authorize the use of the com- 
munication primitive at this point In the sequence of 
communications. A second action may be specified as s 
a function to decrypt the operational data or any part of 
it, whereas a third action may be specified as the oper- 
ational procedure proper. A fourth part may be specified 
to encrypt any operational data which results from the 
operations performed and a fifth action may be specified io 
as a function to compute a proof of completion of the 
performed action or of correctness of the resulting data 
or to be used in security computations in the receiving 
data processing unit. These actions are reflected by the 
flow diagram of figure 5. 

Additionally, the data processing unit 5 may include 
in its answer to reset message a number chosen to be 
unpredictable in value by the receiving data processing 
unit 4, which can serve as the basis for cryptographic 
computations. Such a number may be designated as the 
"card transaction number". 

There will be provided for one communication prim- 
itive assigned a specified value which will always be In- 
terpreted as a request to enter a new interaction context 
11 , 1 9. This communication primitive may be designated 
as the "activation command". The data accompanying 
the activation command sufficiently specifies the con- 
text to be activated possibly by referring to the identifi- 
cation numbers communicated as part of the answer to 
reset message. The actions performed in responding to 
the activation command are firstly described by the pro- 
cedural description contained In the context accepting 
the primitive designated as for deactivation and second- 
ly described in the procedural description designated for 
activation contained in the context specified as to be en- 
tered. 

Preferably the communication primitive used to en- 
ter a specified interaction context 11, 19 comprises nu- 
meric values to be used In security calculations in sub- 
sequent communications. A first random value may be 
generated by one of the processing units 4, 5 and a sec- 
ond value may serve to Identify that one processing unit. 
This identification might be the result of computations, 
which are such that the resulting value sufficiently iden- 
tifies the device and the state of Its memory as required 
by computations or other actions which might be done 
in subsequent exchanges of data in the interaction con- 
text 11, 19 to be activated. Said second value may be 
designated as "terminal identification". 

Additionally, the activation command gives as part 
of the resulting data a numeric value serving to Identify 
the particular responding data processing unit sufficient- 
ly as required by computations or other actions which 
might be done in subsequent exchanges of data in the 
context just being activated, which number may be des- 
ignated as "smart card identification". 

Besides the smart card Identification number may 
be computed using cryptographic functions from data 



stored in the data processing unit 5 or from the data re- 
ceived as part of the activation command In such a way 
that the number varies In unpredictable manner when 
computed in response to activation commands received 
from Initiating devices with differing temriinal identifica- 
tion numbers; a smart card identification thus computed 
can be designated as the "smart card pseudonym". 
Moreover, before performing the actions described in 
the procedural description of the activation procedure of 
a context to be entered the executive program may per- 
form a cryptographic computation specified as part of 
the procedural description in that context designated to 
be performed upon activation to determine whether the 
context may be activated. The computations may in- 
volve use of the smart card transaction Identification, 
terminal transaction identification and terminal identifi- 
cation and other values stored In the memory means. 

As an alternative to such specific computations sup- 
ported with specific data in performing commands, com- 
mands with bitfield specification of referenced data ele- 
ments may be used. Then, each communication primi- 
tive is composed of two or more numeric values, a first 
value being used to refer to a procedural description of 
an action associated to the communication primitive, a 
second value being composed of a fixed number of bi- 
nary values each of which is interpreted by the executive 
program 1 2, 1 7 as a reference to a single data element. 
This data element is specified In the list of external data 
references In the interaction context 11,19 concerned, 
each data element in the list being specified by the pres- 
ence of a binary value of one of the binary numbers in 
a corresponding position in the list of binary values. This 
second value may be designated as the "operand ad- 
dresses". Each of the data elements which are so spec- 
ified are made available by the operating executive pro- 
gram 12, 17 to be used in the responding action in a 
manner as may be described In the procedural descrip- 
tion of that action. 

As an alternative to specific computations with spe- 
cific date and commands with bitfield specification of ref- 
erenced data elements a command format with data 
match specification of data may be applied. In that case, 
each communication primitive is composed of two or 
more numeric values, a first value being used to refer to 
a procedural description of an action associated to the 
communication primitive, a second value being used to 
determine which of the data elements available for ex- 
ternal reference In an active Interaction context 12, 19 
will be used while performing responding actions In such 
a way that any data element is selected If it contains a 
value that matches said second value. This second val- 
ue may be designated as the "operand tag specifier". 
Additionally, the interaction context 11, 19 may contain 
a procedural description indicating in what way an op- 
erand tag specifier given as part of a command Is to be 
compared with data contained in any of the data ele- 
ments available for external reference in that context, 
which procedural description is performed to s lect the 
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intended data elements before the procedural descrip- 
tion is performed specifying the command actions prop- 
er. 

As a further alternative a command format with bit- 
field specification of command interpretation may be s 
used. Then each communication primitive is composed 
of two or more numeric values, a first value being used 
to refer to a procedural description of an action associ- 
ated to the communication primitive, a second value be- 
ing composed of a number of binary values which are io 
assigned specific meaning by the executive program 1 2, 
17 to be used in interpreting data formats in the com- 
munication primitive and in performing responding ac- 
tions. Here the second value may be designated as 
"command modifier". The values are recognized for 
their assigned meaning by all units equipped with this 
additional technique. 

In case the latter alternative is applied the command 
modifier may include a binary value which determines 
whether a third part of the command is to be used as 20 
operand address or as operand tag specifier. However, 
the command modifier may, as an alternative, include a 
binary value which determines whether the operation 
performed as response to the command will use data 
as one data element or is composed of a concatenation 25 
of data elements one to be processed in conjunction 
with each data element specified as part of the com- 
mand value using operand addresses or the operand 
tag specifier. Alternatively, the command modifier may 
include a binary value which determines whether data 30 
provided with the command is encoded using the tag- 
length-value method to discriminate successive con- 
catenated data elements. 

A further option is that the command modifier may 
include a binary value which determines whether per- -35 
forming the action implied by the command will actually 
lead to effective change of data stored in the data 
processing unit 5 (smart card) or actually result in data 
computed by the data processing unit 5, or that the com- 
mand result is data reflecting the state of the unit with ^0 
regard to the acceptability of the command, the data ac- 
companying it, the size of the data which could result 
from computations or other sundry attributes. 

In short, the new technique introduced above espe- 
cially suitable for implementation in smart cards is the <5 
concept of a separate execution environment. In this ap- 
proach the processing means and other resources in a 
computer are shared between different applications as 
if the application was the only user of the computer 
Building on this new technique in smart card Implemen- so 
tations in addition a mechanism is provided to define 
multiple access conditions for data shared by a number 
of related applications. A second technique supported 
by the separate execution environments and introduced 
above is the possibility to define the functional meaning 55 
of commands in each environment to obtain a minimum 
number of commands in each interaction between two 
similar data processing units 4, 5 within a data exchange 



system. Finally it is possible with the new technique for 
names referring to stored data elements to be assigned 
within each context separately. The reference to stored 
data elements as part of a command received from one 
of the data processing units 4, 5 can thus be made very 
efficient: due to the very small number of data elements 
and small number of distinct operations that is used in 
today's smart card practice in each environment sepa- 
rately only a few bits are needed to encode the name 
and instruction space. In a similar fashion access con- 
ditions, methods of verification thereof and cryptograph- 
ic operations available to that end in actual smart cards 
will be very restricted in number and they can be ex- 
pressed very efficiently in the two tier hierarchy of inter- 
action context descriptions 1 9(1 ) ... enclosed in applica- 
tion description 18. 



Claims 

1. Data exchange system comprising at least one 
portable data processing unit (5) comprising data 
communication means (1 4), processing means (1 5) 
and memory means (16), the later comprising an 
executive program (17) characterized in that the 
memory means (16) further comprises at least one 
interaction context (19(1) ... 19(m)) containing the 
following coherent data structure: 

a. a set of basic communication primitives (A 
(1) ...) which are accepted whenever the data 
processing unit (5) communicates with a similar 
unit (4), said primitives at least including a prim- 
itive used to selectively enter one of the said 
interaction contexts (19(1) ...)i 

b. a set of procedural descriptions (C(1 ) ...) de- 
fining the actions to be performed in response 
to each of the accepted communication primi- 
tives (A(1 ) ...), at least comprising a first proce- 
dural description to be performed upon activat- 
ing the interaction context, and a last procedur- 
al description to be perfonned immediately be- 
fore deactivating the context; 

c. a, possibly empty, set of data elements (H 
(1) ...) either permanently stored or computed, 
which are available for use when procedures 
as defined in the procedural descriptions (C 
(1) ...) are performed; 

d. a, possibly empty, set of references to data 
elements, which references are associated to 
the procedural descriptions (C(1) ...), said data 
elements are also accessible to possibly further 
interaction contexts and are available for use 
when procedures as defined in the procedural 
descriptions (C(1) ...) are performed; 

e. a, possibly empty, data list comprising a list 
of references (B(1) ...) to data elements which 
are available for explicit reference as part of a 
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communication primitive (A(1) ...)tobe used by 
the procedural description (C(1) ...) associated 
with the communication primitive; 

f . a set of access conditions associated to the 
data elements which are referenced in associ- s 
ation to the procedural descriptions (C(1) ...); 

g. a set of access conditions associated to the 
list of data references (B(1) ...) in the data list. 

Data exchange system according to claim 1 char- io 
acterized in that the memory means (16) further 
comprises at least two interaction contexts (1 9(1 ) ... 
19(m)), at least one application description (18 
(1) ,...) and a memory element (20) storing a refer- 
ence to the interaction context currently being in 
force, each application description comprising: 

a. a data list comprising references (E(1) ...) to 
data elements, which references may be ac- 
cessible to two or more interaction contexts (1 9 20 
(1 ) ...) and may be extended by additional data 
elements; 

b. a further set of access conditions associated 
to said references (E(1 ) ...) or to said additional 
data elements and defining restrictions of use. 2S 

Data exchange system according to claim 2 char- 
acterized in that each application description (18 
(1) ...) also comprises a procedure library compris- 
ing units of executable code (F(1) ...) which can be 30 
used by procedural descriptions (C(1) ..,) of each 
interaction context associated to each of said appli- 
cation descriptions (18(1) ...). 

Data exchange system according to claim 2 or 3 35 
characterized in that the memory means comprises 
at least two application descriptions (18(1) ....) and 
units of executable code (G(1)...) which can be 
used by procedural descriptions (C(1) ...) of each 
interaction context (19(1)...) within each applica- 40 
Won description (18(1 ) ...) or by each unit of execut- 
able code (F(1 ) ...) of each procedure library within 
each application description (18(1) ...). 

Data exchange system according to any of the ^5 
claims 3 or 4 characterized in that the units of exe- 
cutable code in the procedure library are enhanced 
by including a specification of the use of their oper- 
ational parameters into classes relating to attributes 
pertaining to data elements which can be passed so 
as actual value in a computation, which computa- 
tion only proceeds if the data attributes and param- 
eter classes match. 

Data exchange system according to any of the ss 
claims 2 to 5 characterized in that the executive pro- 
gram (17) comprises a reference to a default inter- 
action context which is us d to initialis the memory 



element (20) storing a reference to the interaction 
context currently being in force, in order to carry out 
a final action after a detection of an internal incon- 
sistency in a recovery to a normal state of operation 
or whenever the executive program (17) is active 
and no explicit interaction context has been speci- 
fied by a communication primitive received from an 
opposite data processing unit (4). 

7. Data exchange system according to any of the pre- 
ceding claims characterized in that the memory 
means (16) comprises an interaction context dedi- 
cated to comprise Persona! Identification Numbers 
and that the executive program (17) is arranged to 
verify Personal Identification Numbers supplied by 
a user of the data exchange system. 

8. Data exchange system according to any of the 
claims 2 to 7 characterized in that each application 
description (18(1) ...) comprises a list of numeric 
values which is constructed to provide identifiers for 
all interaction contexts (19(1) ...) and comprises at 
least a first numeric value indicating an application 
type, a second numeric value indicating a unique 
identification of the entity providing the application, 
a third numeric value indicating the nature of the ap- 
plication description (18(1) ...) and further numbers 
each uniquely referring to one interaction context 
(19(1) ...) associated with the application descrip- 
tion. 

9. Data exchange system according to any of the pre- 
ceding claims characterized in that the data cpm- 
munication means (14) is arranged to structure data 
exchange in blocks of data comprising at least two 
parts, a first part being data qualified as operational 
in that it is used to influence the nature of the oper- 
ations performed by a command as indicated by a 
communication primitive or data resulting from op- 
erations carried out, a second part being qualified 
as security in that it is used to determine the appro- 
priateness of performing an operation or of the ac- 
ceptability of data within the operational part, to be 
used in the operation or to prove completion of the 
operation or correctness of the resulting data. 

10. Data exchange system according to claim 9 char- 
acterized in that the executive program (17) is ar- 
ranged to perform, upon accepting a communica- 
tion primitive to perform operations specified in the 
current interaction context (19(1) ...), each opera- 
tion as part of a predetermined and fixed sequence 
of actions each of which is specified separately as 
part of a procedural description associated to the 
accepted communication primitive, which actions 
comprise at least the following actions: 

a. authorization of the use of the communica- 
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tion primitive; 

b. decryption of operational data or any part of 

it; 

c. performing a command with any input data; 

d. encryption of any operational data resulting 
from any operation performed; 

e. computation of a proof of completion of any 
performed action or of correctness of the result- 
ing data to be used in security computations. 

1 1 . Data exchange system according to any of the pre- 
ceding claims characterized in that the data 
processing unit (5) generates a random transaction 
number upon initializing data transfer, which serves 
as basis for cryptographic computations. 

1 2. Data exchange system according to any of the pre- 
ceding claims characterized in that one communi- 
cation primitive is assigned a specified value which 
will always be interpreted as a request to enter a 
new interaction context (19(1) ...)• 

1 3. Data exchange system according to any of the pre- 
ceding claims characterized in that it comprises a 
further data processing unit (4) comprising the 
same elements as the data processing unit (4) 
which might optionally contain in its memory an ap- 
plication programmers interface (10) which consists 
of program code designed to allow additional com- 
puter programs to be implemented to give users 
control over the sequence of exchanged communi- 
cation primitives or to influence the data transferred 
in them or to learn or further process the data re- 
ceived in the exchange. 

14. Data exchange system according to claim 13 char- 
acterized in that the primitive used to enter a spec- 
ified Interaction context (19(1)...) comprises nu- 
meric values to be used in security calculations In 
subsequent communications, a first random value 
generated by one of the processing units and a sec- 
ond value serving to Identify said one processing 
unit. 

15. Data exchange system according to claim 1 3 char- 
acterized in that each communication primitive Is 
composed of two or more numeric values, a first val- 
ue being used to refer to a procedural description 
of an action associated to the communication prim- 
itive, a second value being composed of a fixed 
number of binary values each of which is interpreted 
by the executive program (1 2; 1 7) as a reference to 
a single data element. 

16. Data exchange system according to claim 13 char- 
acterized in that each communication primitive is 
composed of two or more numeric values, a first val- 
ue b ing us d to ref r to a procedural description 



of an action associated to the communication prim- 
itive, a second value being used to determine which 
of the data elements available for external refer- 
ence in an active interaction context (19(1) ...) will 
5 be used while performing responding actions in 
such a way that any data element Is selected If it 
contains a value that matches said second value. 

1 7. Data exchange system according to claim 1 3 char- 
10 acterized in that each communication primitive is 
composed of two or more numeric value's, a first val- 
ue being used to refer to a procedural description 
of an action associated to the communication prim- 
itive, a second value being composed of a number 
IS of binary values which are assigned specific mean- 
ings by the executive program (12, 17) to be used 
in interpreting data formats in the communication 
primitive and in performing responding actions. 



1. Datenaustauschsystem mit wenlgstens einer trag- 
baren Datenverarbeitungselnheit (5), welche eine 
25 Datenkommunikationselnrichtung (14), eIne Verar- 
beitungseinrichtung (15) sowie eine Speicherein- 
richtung (16) umfaBt, wobel die letztere ein Ausfuh- 
rungsprogramm (17) umfaQt, dadurch gekenn- 
zelchnet, 

30 daB die Speichereinrichtung (1 6) ferner wenigstens 
einen Interaktionskontext (19(1) ... 19(m)) umfaBt, 
welcher die folgende koharente Datenstruktur be- 
inhaltet: 

35 a. einen Satz von Basls-Kommunikations- 

grundelementen (A(11 ...), die immerdann ak- 
zeptiert werden, wenn die Datenverarbeitungs- 
elnheit (5) mit eIner entsprechenden Einhelt (4) 
kommuniziert, wobel die Grundelemente zu- 
40 mindest ein Grundelement umfassen, das dazu 

verwendet wird, selektiv In einen der Interakti- 
onskontexte (19(1) ...) einzusteigen; 

b. einen Satz von Prozedurbeschreibungen (C 
(1) ...), die die in Antwort auf jedes der akzep- 

45 tierten Kommunikatlonsgrundelemente (A 

(1)...) durchzufuhrenden Aktlonen definieren 
und zumindest eine erste Prozedurbeschrei- 
bung umfassen, die bel Aktivierung des Inter- 
aktionskontextes durchzufuhren 1st, sowie eine 
50 letzte Prozedurbeschreibung, die unmittelbar 

vor Deaktivierung des Kontextes durchzufuh- 
ren ist; 

c. einen moglicherweise leeren Satz von ent- 
weder permanent gespetcherten oder berech- 

55 neten Datenelementen (11(1) ...), die zur Ver- 

wendung verfugbar sind, wenn Prozeduren, 
wi sie in den Prozedurbeschreibungen (C 
(1) ...) d finiert sind, durchgefuhrt werden; 
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d. einen moglicherweise leeren Satz von Ver- 
weisen aut Datenelemente, welche Verweise 
den Prozedurbeschreibungen (C(1)...) zuge- 
ordnet sind, wobei die Datenelemente auch 
moglichen weiteren Interaktionskontexten zu- 
ganglich sind und zur Verwendung verfugbar 
sind, wenn Prozeduren, wie sle in den Proze- 
durbeschreibungen (C(1)...) definiert sind, 
durchgefulirt werden; 

e. eine moglicherweise leere Datenliste mit ei- 
ner Liste von Venwelsen (B(1 ) ...) aut Datenele- 
mente, die zum expliziten Verweis als Tell eines 
Kommunikationsgrundelements (A(1)...) ver- 
fugbar sind, um durch die dem Kommunikati- 
onsgrundelement zugeordnete Prozedu rbe- 
schreibung (C(1) ...) verwendet zu werden; 

f. einen Satz von Zugriffsbedingungen, die den 
Datenelementen zugeordnet sind, aut welche 
Im Zusammenhang mit den Prozedurbeschrei- 
bungen (C(1) ...) venwiesen wird; 

g. einen Satz von Zugriffsbedingungen, die der 
Liste von Datenverweisen (B(1) ...) in der Da- 
tenliste zugeordnet sind. 

2. Datenaustauschsystem nach Anspruch 1 , 
dadurch gckennzeichnet, daB die Speichereinrich- 
tung (16) ferner mindestens zwei Interaktionskon- 
texte (19(1)... 19 (m)), mindestens eine Anwen- 
dungsbeschreibung (18(1) ...) sowie ein Speicher- 
element (20) umfaBt, das einen Verweis auf den In- 
teraktionskontext speichert, der momentan in Kraft 
ist, wobei jede Anwendungsbeschreibung umfaBt: 

a. eine Datenliste mit Verweisen (E{1) ...) auf 
Datenelemente, welche Verweise zwei Oder 
mehr Interaktionskontexten (19(1) ...) zugang- 
lich sind und durch zusatzliche Datenelemente 
enweitert sein konnen; 

b. einen weiteren Satz von Zugriffsbedingun- 
gen, die den Verweisen (E(1) ...) oder den zu- 
satzlichen Datenelementen zugeordnet sind 
und Nutzungsbeschrankungen festlegen, 

3. Datenaustauschsystem nach Anspruch 2, 
dadurch gekennzeichnet, daf3 jede Anwendungs- 
beschreibung (18(1) ...) auBerdem eine Prozedur- 
bibliothek mit ausfuhrbaren Codeeinheiten (F(1 ) ...) 
umfa3t, welche durch Prozedurbeschreibungen (C 
(1) ...) jedes Interaktionskontextes verwendet wer- 
den konnen, der jeder der Anwendungsbeschrei- 
bungen (18(1) ...) zugeordnet ist. 

4. Datenaustauschsystem nach Anspruch 2 oder 3, 
dadurch gekennzeichnet, daB die Speichereinrich- 
tung mindestens zwei Anwendungsbeschreibun- 
gen (18(1)...) und ausfOhrbare Codeeinheiten (G 
(1) .,.) umfaBt, welche durch Prozedurbeschreibun- 
gen (C(1) .,.) jedes Interaktionskontextes (19(1) ..,) 



Innerhalb jeder Anwendungsbeschreibung (18 
(1) ...) Oder durch jede ausfOhrbare Codeeinheit (F 
(1) ..,) jeder Prozedurbibliothek innerhalb jeder An- 
wendungsbeschreibung (18(1) ...) verwendet wer- 
5 den konnen. 

5. Datenaustauschsystem nach einem der Anspruche 
3 Oder 4, dadurch gekennzeichnet, daB die ausfuhr- 
baren Codeeinheiten in der Prozedurbibliothek da- 

10 durch vergroBert sind, daB eine Spezifikation der 
Verwendung ihrerOperationsparameter in Klassen 
eingefugt ist, welche sich auf Attribute beziehen, die 
Datenelemente betreffen, welche als tatsachlicher 
Wert in einer Berechnung genommen werden kon- 

15 nen, welche Berechnung nur dann fortschreitet, 
wenn die Datenattribute und die Parameterklassen 
zueinander passen. 

6. Datenaustauschsystem nach einem der Anspruche 
20 2 bis 5, dadurch gekennzeichnet, daB das AusfOh- 

rungsprogramm (17) einen Verweis auf einen Stan- 
dardinteraktionskontext umfaBt, welcher dazu ver- 
wendet wird. das Speicherelement (20) zu initiali- 
sieren, das einen Verweis auf den momentan in 

25 Kraft betindlichen Interaktionskontext speichert, um 
eine Endaktion nach einer Erfassung einer internen 
Inkonsistenz bei einer Wiederaufnahme eines nor- 
malen Operationszustands durchzufuhren oder 
wann immerdas Ausfuhrungsprogramm (17) aktiv 

30 1st und kein expliziter Interaktionskontext durch ein 
von einer gegenuberliegenden Datenverarbei- 
tungseinheit (4) erhaltenes Kommunikationsgrund- 
element spezifiziert worden ist. 

35 7. Datenaustauschsystem nach einem der vorherge- 
henden Anspruche, 

dadurch gekennzeichnet, daB die Speichereinrich- 
tung (16) einen Interaktionskontext umfaBt, dessen 
Zweck es ist, personliche Identifizierungsnummern 
40 zu umfassen, und daB das Ausfuhrungsprogramm 
(17) dazu ausgelegt ist, von einem Benutzer des 
Datenaustauschsystems gelieferte personliche 
Identifizierungsnummern zu verifizieren, 

45 8. Datenaustauschsystem nach einem der Anspruche 
2 bis 7, dadurch gekennzeichnet, daB jede Anwen- 
dungsbeschreibung (18(1) ...j eine Liste von nume- 
rischen Werten umfaBt. die so aufgebaut ist, daB 
sie Bezeichner fur alle Interaktionskontexte (19 

50 (1) ...) bereitstellt, und zumindest einen ersten nu- 
merischen Wert umfaBt, welcher einen Anwen- 
dungstyp angibt, einen zweiten numerischen Wert, 
welcher eine ausschlieBliche Bezeichnung des Be- 
reitstellers der Anwendung angibt, einen dritten nu- 

55 merischen Wert, welcher die Art der Anwendungs- 
beschreibung (18(1).,,) angibt, und weitere Num- 
mern, die sich jeweils ausschlieBlich auf einen der 
Anwendungsbeschreibung zugeordneten Interakti- 
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onskontext (19(1) .„) beziehen. 

9. Datenaustauschsystem nach einem der vorherge- 
henden Anspruche, 

dadurch gekennzeichnet, daB die Kommunikati- 
onseinrichtung (14) so ausgefuhrt ist, da3 sie den 
Datenaustausch in Datenblocke strukturiert, wel- 
che wenigstens zwei Teile umfassen, wobei ein er- 
ster Tail Daten sind, die insofern als operationsre- 
levant qualifiziert sind, als sie dazu verwendet wer- 
den, die Art der Operationen zu beeinfiussen, die 
durch einen Befehl durchgefuhrt warden, wie er 
durch ein Kommunikationsgrundelement oder Da- 
ten angegeben ist, welclie aus durchgefuhrten 
Operationen resultieren, wobei ein zweiter Teil in- 
sofern als sicherheitsrelevant qualifiziert ist, als er 
dazu verwendet wird, die Eignung zur Durchfuh- 
rung einer Operation oder die Akzeptierbarkeit von 
Daten in dem operattonsrelevanten Teil zu bestim- 
men, um in der Operation verwendet zu werden, 
Oder die Beendigung der Operation oder die Kor- 
rektheit der resultierenden Daten nachzuweisen. 

10. Datenaustauschsystem nach Anspruch 9, 
dadurch gekennzeichnet, daB das Ausf uhrungspro- 
grannm (17) so ausgelegt ist, daB es bei Akzeptie- 
rung eines Konnmunikationsgrundelennents zur 
Durchfuhrung von in dem momentanen Interakti- 
onskontext (19(1) ...) spezifizierten Operationen je- 
de Operation als Teil einer vorbestimmten und fe- 
sten Folge von Aktionen durchf uhrt, die jeweils ge- 
sondert als Teil einer dem akzeptierten Kommuni- 
kationsgrundelement zugeordneten Prozedurbe- 
schreibung spezifiziert sind. welche Aktionen zu- 
mindest die folgenden Aktionen umfassen: 

a. Authorisierung der Venwendung des Kom- 
munikationsgrundelements; 

b. Entschlusselung der Operationsdaten oder 
eines Teils derselben; 

c. Durchfuhren eines Befehls mit Eingangsda- 
ten; 

d. Verschlusselung von Operationsdaten, die 
aus einer durchgefuhrten Operation resultie- 
ren; 

e. Berechnung eines Nachweises der Beendi- 
gung einer durchgefuhrten Aktion oder der Kor- 
rektheit der resultierenden Daten, um in Sicher- 
heitsberechnungen verwendet zu werden. 

11. Datenaustauschsystem nach einem der vorherge- 
henden Anspruche, 

dadurch gekennzeichnet, daB die Datenverarbei- 
tungseinheit (5) bel^'nitialisierung des Datentrans- 
fers eine zufallige Transaktionsnummer erzeugt, 
die als Basis fur kryptographische Berechhungen 
dient. 



12, Datenaustauschsystem nach einem der vorherge- 
henden Anspruche, 

dadurch gekennzeichnet, daB einem Kommunika- 
tionsgrundelement ein spezifizierter Wert zugewie- 
s sen ist, der stets als Anforderung interpretiert wird, 
in einen neuen Interaktionskontext (19(1) .,.) einzu- 
steigen. 

13. Datenaustauschsystem nach einem der vorherge- 
10 henden Anspruche, 

dadurch gekennzeichnet, daB es eine weitere Da- 
tenverarbeitungseinheit (4) umfaBt, welche die glei- 
chen Elemente wie die Datenverarbeitungseinheit 
(4) umfaBt, die optional in ihrem Speicher eine An- 

75 wendungsprogrammiererschnittsteile (10) enthal- 
ten kann, welche aus einem Programmcode be- 
steht, der so ausgefuhrt ist, daB er die Implemen- 
tierung zusatzlicher Computerprograrinme eriaubt. 
um Benutzern die Kontrolle uber die Abfolge aus- 

20 getauschter Kommunikationsgrundelemente zu ge- 
ben Oder um die darin transferierten Daten zu be- 
einftussen oder die beim Austausch erhaltenen Da- 
ten zu lernen oder weiterzuverarbeiten. 

25 14, Datenaustauschsystem nach Anspruch 13, 

dadurch gekennzeichnet, daB das zum Einstieg in 
einen spezifizierten Interaktionskontext (19(1)...) 
verwendete Grundelement numerische Werte um- 
faBt, die bei Sicherheitsberechnungen in nachfol- 

30 genden Kommunikationen zu verwenden sind, ei- 
nen ersten, durch eine der Verarbeitungseinheiten 
erzeugten Zufallswert sowie einen zweiten, der 
Identifizierung dieser einen Verarbeitungseinheit 
dienenden Wert. 

3S 

15. Datenaustauschsystem nach Anspruch 13, 
dadurch gekennzeichnet, daB jedes Kommunikati- 
onsgrundelement aus zwei oder mehr numerischen 
Werten zusammengesetzt ist, wobei ein erster Wert 

40 dazu venwendet wird, auf eine Prozedurbeschrei- 
bung einer dem Kommunikationsgrundelement zu- 
geordneten Aktion zu verweisen, wobei ein zweiter 
Wert aus einer f esten Zahl von Binarwerten zusam- 
mengesetzt ist, die durch das Ausfuhrungspro- 

45 gramm (12; 17) jeweils als Verweis auf ein einzel- 
nes Datenelement interpretiert werden. 

16. Datenaustauschsystem nach Anspruch 13, 
dadurch gekennzeichnet, daB jedes Kommunikati- 

50 onsgrundelement aus zwei oder mehr numerischen 
Werten zusammengesetzt ist, wobei ein erster Wert 
dazu venwendet wird, auf eine Prozedurbeschrei- 
bung einer dem Kommunikationsgrundelement zu- 
geordneten Aktion zu verweisen, wobei ein zweiter 

55 Wert dazu venwendet wird zu bestimmen, welche 
der zum externen Verweis in einem aktiven Interak- 
tionskont xt (19(1) ...) verfugbaren Datenelemente 
venwend t werden, wahrend Antwortaktionen in 
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solcher Weise durchgef uhrt werden, da3 ein Daten- 
element ausgewahit wird, wenn es einen Wert ent- 
halt, der mit dem zwerten Wert ubereinstimmt. 

17. Datenaustauschsystem nach Anspruch 13, 

dadurch gekennzeichnet, da3 jedes Kommunikati- 
onsgrundelement aus zwei oder mehr numerischen 
Werten zusammengesetzt ist, wobei ein erster Wert 
dazu verwendet wird, auf eine Prozedurbeschrei- 
bung einer dem Kommunikationsgrundelement zu- 
geordneten Aktion zu verweisen, wobei ein zweiter 
Wert aus einer Anzahl von BInarwerten zusannnnen- 
gesetzt ist, denen durch das Ausfuhrungspro- 
grannm (1 2, 1 7) spezielle Bedeutungen zugewiesen 
sind, um bei der Interpretation von Datenformaten 
in dem Kommunikationsgrundelement und bei der 
Durchfulirung von Antwortaktionen verwendet zu 
werden. 



Revendicatlons 

1. Syst6me d'6change de donn6es comportant au 
moins une unit6 de traitement de donn^es portative 
(5) comprenant un moyen de communication de 
donn6es (14), un moyen de traitement (15) et un 
moyen de memorisation (16), ce dernier contenant 
un programme d'ex6cution (17), caract6ris6 en ce 
que le moyen de memorisation (16) contient en 
outre au moins un contexte d'interaction (1 9(1 ). ..1 9 
(m)) pr6sentant la structure coherente de donnees 
suivante: 

a. un jeu de primitives de communication de ba- 
se (A(1)...) qui sont accept^es dans le cas oD 
I'unite de traitement de donn§es (5) comnnuni- 
que avec une unite (4) similaire, lesdites primi- 
tives incluant au moins une primitive utilisee 
pour entrer de mani^re selective dans I'un des- 
dits contextes d'interaction (19(1)....); 

b. un jeu de procedures de description (C(1 )...) 
definissant les actions ^ realiser en reponse ^ 
chacune des primitives de communication ac- 
ceptees (A(1 )...), comprenant au moins une 
premiere procedure de description ^ realiser h 
I'actlvation du contexte d'interaction, et une 
dernlere procedure de description k realiser im- 
mediatement avant la desactivation du contex- 
te; 

c. un jeu, eventuellement vide, memorise de 
maniere permanente ou calcuie, d'eiements de 
donnees qui sont disponibles pour §tre utilises 
lorsque. des procedures telles que definies 
dans les procedures de description (C(1)...) 
sont executees; 

d. un jeu, eventuellement vide, de references 
aux elements d donnees, lesquell s referen- 
ces sont associees aux procedures de descrip- 



tion (C(1 )...), lesdits elements dedonn6es sont 
aussi accessibles k d'eventuels autres contex- 
tes d'interaction et sont disponibles pour §tre 
utilises lorsque des procedures, telles que de- 
5 finies dans les procedures de description (C 

(1)...) sont executees; 

e. une llste de donnes, eventuellement vide, 
comprenant une llste de references (8(1)...) k 
des elements de donnees qui sont disponibles 

10 pour une reference expllcite comme partle 

d'une primitive de communication (A(1 )...) k utl- 
liser par la procedure de description (C(1)...) 
associee avec la primitive de communication; 

f . un jeu de conditions d'acces associe avec les 
IS elements de donnees qui sont references en 

association avec les procedures de description 
(C(1)...); 

g. un jeu de conditions d'accds associe h la llste 
de references de donnees (B(1)...) de la liste 

20 de donnees. 

2. Systems d'echange de donnees seion la revendi- 
catlon 1 , caracterlse en ce que le moyen de memo- 
risation (1 6) comprend en outre au moins deux con- 

25 textes d'interaction (19(1)...19(m)), au moins une 
description d'application (18(1)...) et un element de 
memorisation (20) contenant une reference au con- 
texte d'interaction courant qui est en vigueur, cha- 
que description d'application comprenant: 

30 

a. une llste de donnees contenant des referen- 
ces (E(1)...) k des elements de donnees, les- 
quelles references peuvent §tre accessibles k 
deux ou plusleurs contextes d'interaction (19 

35 (1)...) et peuvent §tre compietees par des ele- 

ments de donnees suppiementalres; 

b. un autre jeu de conditions d'acc^s associe 
auxdites references (E(1)...) ou auxdits ele- 
ments de donnees suppI6mentaires et definis- 

40 sant des restrictions d'utlllsation. 

3. Systeme d'echange de donn6es selon la revendl- 
catlon 2, caracterlse en ce que chaque description 
d'application (1 8(1 )...)) comprend aussi une librairie 

4S de procedures incluant des unites de code execu- 
table (F(1)...) qui peuvent §tre utillsees par des pro- 
cedures de description de chaque contexte d'inte- 
raction associe avec chacune desdites descriptions 
d'application (18(1)...). 

50 

4. Systems d'echange de donnees selon les revendi- 
catlons 2 ou 3, caracterlse en ce que le moyen de 
memorisation comprend au moins deux descrip- 
tions d'application (18(1)...) et des unites de code 

ss executable (G(1)...) qui peuvent etre utillsees par 
, des procedures de description (C(1)...) de chaque 
contexte d'interaction (19(1)...) k Tinterieur de cha- 
que description d'application (18(1)...) ou par cha- 
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que unit6 de code executable (F(1)...) de chaque 
librairie de procedures k rint6rieur de chaque des- 
cription d'application (18(1),..), 

5. Systeme d'6cliange de donn6es selon I'une quel- 5 
conque des revendications 3 ou 4, caract6ris6 en 
ce que les unites de code executable de la librairie 
de procedures sont ameiiorees en incluant une spe- 
cification d'utilisation de leurs parannetres opera- 
tionnels en classes se rapportant k des attributs ap- io 
partenant aux elements de donn6es qui peuvent 
etre passes comme valeur reelle dans un calcul, le- 
quel calcul est execute seulement si les attributs de 
donnees et classes de parametres correspondent. 



6. Systeme d'echange de donn6es selon Tune quel- 
conque des revendications 2^5, caract6rls6 en ce 
que le programme d'execution (1 7) comprend une 
reference k un contexte d'interaction pard6fau1 qui 
est utilise pour initialiser reiement de memorisation 
(20) contenant une reference au contexte d'interac- 
tion courant qui est en vigueur, dans le but de rea- 
liser une action finale apres detection d'une incohe- 
rence interne lors d'une reprise vers un 6tat normal 
de fonctionnement ou dans le cas ou le progrannme 
d'execution (17) est actif et qu'aucun contexte d'in- 
teraction explicite n'a ete specif ie par la primitive de 
communication regue k partir de I'unite de traite- 
ment de donnees oppos6e (4). 

7. Systeme d'echange de donnees selon I'une quel- 
conque des revendications prec6dentes, caract6ri- 
se en ce que le moyen de memorisation (16) con- 
tient un contexte d'interaction dedie qui inclut des 
Numeros d'Identification Personnels et en ce que 
le programme d'execution (17) est prevu de manie- 
re k verifier les Numeros d'Identification Personnels 
deiivres par un utilisateur du systeme d'echange de 
donnees. 

8. Systeme d'echange de donnees selon I'une quel- 
conque des revendications 2^7, caracterise en ce 
que chaque description d'application (18(1).,.) com- 
prend une liste de valeurs numeriques qui est cons- 
truite de manidre k creer des identificateurs pour 
tous les contextes d'interaction (19(1)...) et com- 
prend au moins une premiere valeur numehque in- 
dtquant un type d'application, une deuxieme valeur 
numehque indiquant une identification unique de 
I'entite fournissant ('application, une troisieme va- 
leur numerique indiquant la nature de la description 
d'application (18(1),..) et d'autres nombres se rap- 
portant chacun uniquement k un contexte d'interac- 
tion (1 9(1 )...) associe avec la description d'applica- 
tion. 

9. Systeme d'echange de donnees selon I'une quel- 
conque des revendications precedent s, caracteri- 



se en ce que le moyen de communication de don- 
nees ( 1 4) est congu de maniere k structurer rechan- 
ge de donnees en blocs de donnees comprenant 
au moins deux parties, une premiere partie repre- 
sentant des donnees et qualifiee d'operationnelle 
en ce qu'elle est utilisee pour influencer la nature 
des operations realisees par une instruction telle 
qu'indiquee par une primitive de communication ou 
des donnees resultant d'operations realisees. une 
seconde partie qualifiee de securite en ce qu'elle 
est utilisee pour determiner la convenance de la 
realisation d'une operation ou I'acceptabilite des 
donnees. dans la partie operationnelle, qui doit etre 
utilisee dans I'operation ou pour demontrer I'ache- 
vement de I'operation ou la validite des donnees re- 
sultanties. 

10. Systeme d'echange de donnees selon la revendi- 
cation 9, caracterise en ce que le programme d'exe- 
20 cution (17) est prevu pour executer, k I'acceptation 
d'une primitive de communication afin d'executer 
des operations specifiees dans le contexte d'inte- 
raction courant (19(1)...), chaque operation comme 
une partie d'une sequence predeterminee et fixee 
25 d'actions dont chacune est specifiee separement 
comme une partie d'une procedure de description 
associee k la primitive de communication acceptee, 
lesquelles actions comprennent au moins les ac- 
tions suivantes: 

30 

a. autorisation de I'utilisatlon de la primitive de 
communication; 

b. decryptage des donnees operationnelles ou 
d'une partie quelconque de celles-ci; 

35 c. execution d'une instruction avec des don- 

nees d'entree queiconques; 
d. cryptage de donnees operationnelles quei- 
conques resultant d'une operation quelconque 
executee; 

40 e. calcul d'une preuve d'achevement d'une ac- 

tion executee quelconque ou de validite des 
donnees resultantes qui doivent §tre utilisees 
dans des calculs de securite. 

45 11, Systeme d'echange de donnees selon I'une quel- 
conque des revendications precedentes. caracteri- 
se en ce que I'unite de traitement de donnees (5) 
produit. k Tinitialisation d'un transfert de donnees, 
un numerode transaction aieatoire, qui sertde base 

50 pour les calculs de cryptage. 

12. Systems d'echange de donnees selon I'une quel- 
conque des revendications precedentes, caracteri- 
se en ce qu'une primitive de communication est af- 
55 fectee d'une valeur specifiee qui va toujours etre in- 
terpretee comme une requ§te d'entree dans un 
nouveau contexte d'interaction (19(1)...). 
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13. Syst^me d'6change de donn6es selon Tune quel- 
conque des revendications pr§c6dentes, caract6ri- 
s6 en ce qu'il comprend une autre unit6 de traite- 
ment de donn6es (4). constitute des m§mes 6\6- 
ments que I'unitt de traitement de donn6es (4), qui 
peut, en option, contenir dans sa m6moire une in- 
terface pour programmeurs d'applications (10) qui 
consiste en un code de programme congu pour per- 
mettre la mise en oeuvre de programmes informa- 
tiques suppl6mentaires destines k donner aux uti- 
lisateurs la maTtrise de la sequence des primitives 
de communication 6chang6es ou pour modifier les 
donn6es transferees dans celles-ci ou pour appren- 
dre les donn^es revues au cours de I'tchange ou 
realiser d'autres traitements sur celles-ci 



cription d'une action associ6e avec la primitive de 
communication, une deuxi^me valeur 6tant compo- 
s6e d'un certain nombre de valeurs binaires ^ qui 
des significations sp6cifiques sont affecttes par le 
s programme d'ex6cution (12, 17) et destin6e k §tre 
utilis^e pour I'lnterpretation des formats de donndes 
dans la primitive de communication et pour rex6cu- 
tion des actions de r6ponse. 

10 



15 



14. Systeme d'6change de donn6es selon la revendi- 
cation 1 3, caracteris6 en ce que la primitive utilis6e 
pour entrer dans un contexte d'interaction sp6cifi6 
(19(1)...) comprend des valeurs num^riques qui 20 
doivent §tre utilistes dans des calculs de security 
dans des communications ult6rieures, une premie- 
re valeur aieatoire produite par I'une des unites de 
traitement et une deuxieme valeur servant k identi- 
fier ladite premiere unite de traitement, 25 

15. Systeme d'echange de donnees selon la revendi- 
cation 13. caracterise en ce que chaque primitive 
de communication est composee de deux ou plu- 
sieurs valeurs numeriques. une premiere valeur 30 
etant utilisee pour designer une procedure de des- 
cription d'une action associee avec la primitive de 
communication, une deuxieme valeur etant compo- 
see d'un nombre fixe de valeurs binaires, chacune 
d'entre elles etant interpretee par le programme 3S 
d'executlon (12; 17) comme une reference k un ele- 
ment de donnee unique. 

16. Systeme d'echange de donnees selon la revendi- 
cation 13, caracterise en ce que chaque primitive 40 
de communication est composee de deux ou plu- 
sieurs valeurs numeriques, une premiere valeur 
etant utilisee pour designer une procedure de des- 
cription d'une action associee avec la primitive de 
communication, une deuxieme valeur etant utilisee 
pour determiner celui des elements de donnees dis- 
ponibles pour une reference externe dans un con- 
texte d'interaction actif (19(1)...) qui va §tre utilise 
tout en executant des actions de reponse d'une telle 
maniere qu'un element de donnee quelconque est 50 
seiectionne s'il contient une valeur qui correspond 
avec ladite deuxieme valeur. 



17, Systeme d'echange de donnees selon la revendi- 
cation 13, caracterise en ce que chaque primitive ss 
de communication est composee de deux ou plu- 
sieurs valeurs numeriques. une premiere valeur 
etant utilisee pour designer une procedure d des- 



EP 0 666 550 B1 




/ Elementary ^ 



Dedicated File 




[ Elementary ^ 



Dedicated File 




Dedicated File Dedicated RIe Dedicated File Dedicated File 




Dedicated File 




Dedicated File 





Figure 1 



EP 0 666 550 B1 



me 



Reset 



m2 



ATR 



Communication 
primitive 



m3 



Contents 



Contents 



Communication 
primitive 


Contents 





m(n-1) 



Communication 
prlmtttva 



Communication 
primlttva 



Contents 



Contents 



mn 



Figure 2 



EP 0 666 550 B1 




EP 0 666 550 B1 




EP 0 666 550 B1 



f Resat 30 
Enter 

Card Kernel Operations 
Secuffty Level 



•31 



Check memory and operational state 
consistency 

i 



Enter 
MAXOS 
Security Level 



■32 



33 



Check stored application data consistency: 
Compose ATR message: 
Select default context 



■34 



44 

A. 



Enter 
CTA 
Security Level 



■35 



X 



36 



45^ 
46—" 

47 ' 



Perform Context Oe-activation Procedure 



Leave CTA Security Level 

^ 



Select Specific CTA 
Enter CTA Securtty Level 

T 



48 — Do Generic Context initialization 

Q Er\tef 

49 — Data Access Protection Level 



Get Communication Primitive (command) 




Check Command Chain. Authenticate and 
Decrypt Inp ut Dat a 

^ 



Enter 

Data Access Protection Level 



Perionn Commar>d with Input Data 



40 



41 

-/ 



I 



'■ Leave Data Access Protection Level ~" 42 



50 — Periomi Context Activaton Procedure 



51 



Leave Data Accese Protection level 



I Generate Output Data and (Cryptographic) 
I Proof of Command Completion 



"\43 



Figur 5 



